slow connections file transfers through pf

To: misc_(_at_)_openbsd_(_dot_)_org

Subject: slow connections file transfers through pf

From: b h <bobhumphrey22_(_at_)_yahoo_(_dot_)_com>

Date: Sat, 14 Aug 2004 15:39:18 -0700 (PDT)

Hi
I've been transferring large amounts of data over scp
and I used to get to transfer rates of up to (and
maybe over) 100k. About two weeks ago, something
happened, and I never get this, I get transfer rates
of an annoying 10-20k (annoying when I have to
transfer over 100gb of data).
I have a Soekris net4801 running
OpenBSD 3.5-current (GENERIC) #203: Sun Jul 4
21:42:55 MDT 2004
performing NAT/PF/RDR functionalities. Before the
suggestion is made of ACK priortization, please let me
say I have a cable modem, not ADSL, and I do believe
that ACK priortization only helps out the asymmetric
connections, and cable modem (specifically
cablevision, usa) isn't asymmetric. Please correct me
if this isn't the case.
I looked at top, df, etc. and everything looks normal,
98% idle, filesystems at most 50%. I've rebooted the
Soekris too, and it comes up with the same dismal
performance now. My client has been both
Windows/WinSCP, as well as another OpenBSD scp but
sometimes it is initiating the connection from outside
to an inside server, and sometimes initiating the
connection from inside going out, always moving the
bulk of the files from inside out. Initiating
connection from inside or outside doesn't seem to make
a difference. All of it seems to have frustrating
performance. And in fact when copy a file in windows
to a mapped drive on a remote system (through a cisco
software VPN), it has recently slowed to a crawl as
well.
Is there some other command I can check to start
debugging the problem? And I'm confused because I
always remember having good performance up until a
couple of weeks ago (transferring 4gb of data at
100k).
my pf.conf
# macros
int_if = "sis1"
ext_if = "sis0"
# tcp_services = "{ }"
icmp_types = "echoreq"
webserver="10.10.10.2"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16,
172.16.0.0/12 }"
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from $int_if:network to any ->
($ext_if)
rdr on $ext_if proto tcp from any to any port 23 ->
$webserver port 80
rdr on $ext_if proto tcp from any to any port 443 ->
$webserver port 443
rdr on $ext_if proto tcp from any to any port 22 ->
$webserver port 22
block log all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to
$priv_nets
pass in on $ext_if inet proto tcp from any to
$webserver port { 22, 80, 443 } flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep
state
pass in on $int_if from $int_if:network to any
keep state
pass out on $int_if from any to
$int_if:network keep state
pass out on $ext_if proto tcp all modulate
state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
sorry if it's something easy I've missed. any advice
appreciated
bh
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail